It is known that a data communication between electronic control units (ECUs) serving as nodes is performed through a bus, and that a data communication between an ECU and an external tool is performed through a bus. When the data communication is performed between the external tool and the ECU, it becomes possible to access to the ECU by connecting the external tool to the bus, and it becomes possible to rewrite a control program of the ECU and read out a data from the ECU (see Patent Document 1 for example).
Patent Document 1: JP 2004-192277A
Specifications of data communication standards and connection interfaces between an external tool and a bus are open to the public. Thus, not only a proper worker can connect a proper external tool to the bus but also a third party having a bad intention can connect an improper external tool to the bus. If the improper external tool is connected to the bus, the vehicle may be subject to attack such as the improper rewriting of the control program of the ECU, the improper reading out of the data from the ECU (so called a masquerading), or the like. The controller area network (CAN) is a data communication standard between the external tool and the ECU. In the CAN, since a data frame is broadcasted, wiretapping and analysis are relatively easy. Additionally, the CAN provides a data field for storing a data, an identifier field for identifying type of a data frame, a cyclic redundancy check (CRC) field for storing CRC check, etc. However, in the CAN, a source field for identifying a source (source address) of a data frame and an authentication field for authenticating a data frame are not provided.
Because of the above, protection measures against the improper connection of the external tool to the bus are desired.
Further, enhancement of security in data communication between ECUs and between the external tool and the ECU is desired. Although it may be possible to enhance the security by providing a node with a data encryption function, this leads to various difficulties such as configuration complication, processing load increase, and the like.